Closed Bug 572774 Opened 14 years ago Closed 14 years ago

NULL deref in ecma/GlobalObject/15.1-2-n.js, browser only

Categories

(Core :: JavaScript Engine, defect)

Other Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jorendorff, Assigned: gal)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

This stack has some extra patches applied on top of tip, but the bug is in tip.

(gdb) bt
#0  0x00cd4728 in JSObject::getClass (this=0x0) at ../../dist/include/jsobj.h:270
#1  0x010e3dcd in XPCWrapper::UnwrapGeneric (cx=0xb2132400, xclasp=0x1fa8f00, wrapper=((JSObject *) NULL))
    at /home/jorendorff/dev/tracemonkey/js/src/xpconnect/src/XPCWrapper.h:348
#2  0x010fd271 in GetWrappedObject (cx=0xb2132400, wrapper=((JSObject *) NULL))
    at /home/jorendorff/dev/tracemonkey/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:142
#3  0x010ffd96 in XPC_XOW_Call (cx=0xb2132400, obj=((JSObject *) NULL), argc=0, argv=0xb5efe124, rval=0xb5efe168)
    at /home/jorendorff/dev/tracemonkey/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:1086
#4  0x020ca7d6 in js_Call (cx=0xb2132400, obj=((JSObject *) NULL), argc=0, argv=0xb5efe124, rval=0xb5efe168)
    at /home/jorendorff/dev/tracemonkey/js/src/jsobj.cpp:5614
#5  0x020acb9c in js::callJSNative (cx=0xb2132400, native=0x20ca738 <js_Call>, thisobj=((JSObject *) NULL), argc=
    0, argv=0xb5efe124, rval=0xb5efe168) at /home/jorendorff/dev/tracemonkey/js/src/jscntxtinlines.h:321
#6  0x020aa561 in Invoke (cx=0xb2132400, fun=0x0, script=0x0, native=0x20ca738 <js_Call>, args=..., flags=0)
    at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:551
#7  0x020aab46 in js_Invoke (cx=0xb2132400, args=..., flags=0)
    at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:678
#8  0x02098aac in js_Interpret (cx=0xb2132400) at /home/jorendorff/dev/tracemonkey/js/src/jsops.cpp:2156
#9  0x020ab241 in js_Execute (cx=0xb2132400, chain=0xb0115820, script=0xaf4a5a60, down=0xb5efe024, flags=16, 
    result=0xb5efe0a0) at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:855
#10 0x020be787 in obj_eval (cx=0xb2132400, argc=1, vp=0xb5efe0a0)
    at /home/jorendorff/dev/tracemonkey/js/src/jsobj.cpp:1353
#11 0x02098920 in js_Interpret (cx=0xb2132400) at /home/jorendorff/dev/tracemonkey/js/src/jsops.cpp:2146
#12 0x020ab241 in js_Execute (cx=0xb2132400, chain=0xb0115820, script=0xaf0baaa0, down=0x0, flags=0, result=0x0)
    at /home/jorendorff/dev/tracemonkey/js/src/jsinterp.cpp:855
#13 0x0201b839 in JS_EvaluateUCScriptForPrincipals (cx=0xb2132400, obj=((JSObject *) 0xb0115820) [object Window], 
    principals=0xafe95b04, chars=
    ((jschar *) 0xaca40008) '/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */\x0a/* ***** BEGIN LICENSE BLOCK *****\x0a * Version: MPL......
(and browser frames after that)
Attached patch patch (obsolete) — Splinter Review
Assignee: general → gal
Attached patch patchSplinter Review
Attachment #451987 - Attachment is obsolete: true
Landed with some style nits picked.

http://hg.mozilla.org/tracemonkey/rev/37b09e487d80
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/37b09e487d80
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: